/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package org.acegisecurity.providers.dao;

 import org.acegisecurity.AccountExpiredException;

 import org.acegisecurity.AcegiMessageSource;

 import org.acegisecurity.Authentication;

 import org.acegisecurity.AuthenticationException;

 import org.acegisecurity.BadCredentialsException;

 import org.acegisecurity.CredentialsExpiredException;

 import org.acegisecurity.DisabledException;

 import org.acegisecurity.LockedException;

 import org.acegisecurity.providers.AuthenticationProvider;

 import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;

 import org.acegisecurity.providers.dao.cache.NullUserCache;

 import org.acegisecurity.userdetails.UserDetails;

 import org.acegisecurity.userdetails.UserDetailsService;

 import org.acegisecurity.userdetails.UsernameNotFoundException;

 import org.acegisecurity.userdetails.UserDetailsChecker;

 import org.springframework.beans.factory.InitializingBean;

 import org.springframework.context.MessageSource;

 import org.springframework.context.MessageSourceAware;

 import org.springframework.context.support.MessageSourceAccessor;

 import org.springframework.util.Assert;

 /**

  * A base {@link AuthenticationProvider} that allows subclasses to override and work with {@link

  * org.acegisecurity.userdetails.UserDetails} objects. The class is designed to respond to {@link

  * UsernamePasswordAuthenticationToken} authentication requests.

  *

  * <p>

  * Upon successful validation, a <code>UsernamePasswordAuthenticationToken</code> will be created and returned to the

  * caller. The token will include as its principal either a <code>String</code> representation of the username, or the

  * {@link UserDetails} that was returned from the authentication repository. Using <code>String</code> is appropriate

  * if a container adapter is being used, as it expects <code>String</code> representations of the username.

  * Using <code>UserDetails</code> is appropriate if you require access to additional properties of the authenticated

  * user, such as email addresses, human-friendly names etc. As container adapters are not recommended to be used,

  * and <code>UserDetails</code> implementations provide additional flexibility, by default a <code>UserDetails</code>

  * is returned. To override this

  * default, set the {@link #setForcePrincipalAsString} to <code>true</code>.

  * </p>

  *  <p>Caching is handled via the <code>UserDetails</code> object being placed in the {@link UserCache}. This

  * ensures that subsequent requests with the same username can be validated without needing to query the {@link

  * UserDetailsService}. It should be noted that if a user appears to present an incorrect password, the {@link

  * UserDetailsService} will be queried to confirm the most up-to-date password was used for comparison.</p>

  *

  * @author Ben Alex

  * @version $Id: AbstractUserDetailsAuthenticationProvider.java 2654 2008-02-18 20:44:09Z luke_t $

  */

 public abstract class AbstractUserDetailsAuthenticationProvider implements AuthenticationProvider, InitializingBean,

         MessageSourceAware {

     //~ Instance fields ================================================================================================

     protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();

     private UserCache userCache = new NullUserCache();

     private boolean forcePrincipalAsString = false;

     protected boolean hideUserNotFoundExceptions = true;

     private UserDetailsChecker preAuthenticationChecks = new DefaultPreAuthenticationChecks();

     private UserDetailsChecker postAuthenticationChecks = new DefaultPostAuthenticationChecks();

     //~ Methods ========================================================================================================

     /**

      * Allows subclasses to perform any additional checks of a returned (or cached) <code>UserDetails</code>

      * for a given authentication request. Generally a subclass will at least compare the {@link

      * Authentication#getCredentials()} with a {@link UserDetails#getPassword()}. If custom logic is needed to compare

      * additional properties of <code>UserDetails</code> and/or <code>UsernamePasswordAuthenticationToken</code>,

      * these should also appear in this method.

      *

      * @param userDetails as retrieved from the {@link #retrieveUser(String, UsernamePasswordAuthenticationToken)} or

      *        <code>UserCache</code>

      * @param authentication the current request that needs to be authenticated

      *

      * @throws AuthenticationException AuthenticationException if the credentials could not be validated (generally a

      *         <code>BadCredentialsException</code>, an <code>AuthenticationServiceException</code>)

      */

     protected abstract void additionalAuthenticationChecks(UserDetails userDetails,

         UsernamePasswordAuthenticationToken authentication)

         throws AuthenticationException;

     public final void afterPropertiesSet() throws Exception {

         Assert.notNull(this.userCache, "A user cache must be set");

         Assert.notNull(this.messages, "A message source must be set");

         doAfterPropertiesSet();

     }

     public Authentication authenticate(Authentication authentication)

         throws AuthenticationException {

         Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,

             messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports",

                 "Only UsernamePasswordAuthenticationToken is supported"));

         // Determine username

         String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();

         boolean cacheWasUsed = true;

         UserDetails user = this.userCache.getUserFromCache(username);

         if (user == null) {

             cacheWasUsed = false;

             try {

                 user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);

             } catch (UsernameNotFoundException notFound) {

                 if (hideUserNotFoundExceptions) {

                     throw new BadCredentialsException(messages.getMessage(

                             "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));

                 } else {

                     throw notFound;

                 }

             }

             Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");

         }

         preAuthenticationChecks.check(user);

         // This check must come here, as we don't want to tell users

         // about account status unless they presented the correct credentials

         try {

             additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);

         } catch (AuthenticationException exception) {

             if (cacheWasUsed) {

                 // There was a problem, so try again after checking

                 // we're using latest data (ie not from the cache)

                 cacheWasUsed = false;

                 user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);

                 additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);

             } else {

                 throw exception;

             }

         }

         postAuthenticationChecks.check(user);

         if (!cacheWasUsed) {

             this.userCache.putUserInCache(user);

         }

         Object principalToReturn = user;

         if (forcePrincipalAsString) {

             principalToReturn = user.getUsername();

         }

         return createSuccessAuthentication(principalToReturn, authentication, user);

     }

     /**

      * Creates a successful {@link Authentication} object.<p>Protected so subclasses can override.</p>

      *  <p>Subclasses will usually store the original credentials the user supplied (not salted or encoded

      * passwords) in the returned <code>Authentication</code> object.</p>

      *

      * @param principal that should be the principal in the returned object (defined by the {@link

      *        #isForcePrincipalAsString()} method)

      * @param authentication that was presented to the provider for validation

      * @param user that was loaded by the implementation

      *

      * @return the successful authentication token

      */

     protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,

         UserDetails user) {

         // Ensure we return the original credentials the user supplied,

         // so subsequent attempts are successful even with encoded passwords.

         // Also ensure we return the original getDetails(), so that future

         // authentication events after cache expiry contain the details

         UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal,

                 authentication.getCredentials(), user.getAuthorities());

         result.setDetails(authentication.getDetails());

         return result;

     }

     protected void doAfterPropertiesSet() throws Exception {}

     public UserCache getUserCache() {

         return userCache;

     }

     public boolean isForcePrincipalAsString() {

         return forcePrincipalAsString;

     }

     public boolean isHideUserNotFoundExceptions() {

         return hideUserNotFoundExceptions;

     }

     /**

      * Allows subclasses to actually retrieve the <code>UserDetails</code> from an implementation-specific

      * location, with the option of throwing an <code>AuthenticationException</code> immediately if the presented

      * credentials are incorrect (this is especially useful if it is necessary to bind to a resource as the user in

      * order to obtain or generate a <code>UserDetails</code>).<p>Subclasses are not required to perform any

      * caching, as the <code>AbstractUserDetailsAuthenticationProvider</code> will by default cache the

      * <code>UserDetails</code>. The caching of <code>UserDetails</code> does present additional complexity as this

      * means subsequent requests that rely on the cache will need to still have their credentials validated, even if

      * the correctness of credentials was assured by subclasses adopting a binding-based strategy in this method.

      * Accordingly it is important that subclasses either disable caching (if they want to ensure that this method is

      * the only method that is capable of authenticating a request, as no <code>UserDetails</code> will ever be

      * cached) or ensure subclasses implement {@link #additionalAuthenticationChecks(UserDetails,

      * UsernamePasswordAuthenticationToken)} to compare the credentials of a cached <code>UserDetails</code> with

      * subsequent authentication requests.</p>

      *  <p>Most of the time subclasses will not perform credentials inspection in this method, instead

      * performing it in {@link #additionalAuthenticationChecks(UserDetails, UsernamePasswordAuthenticationToken)} so

      * that code related to credentials validation need not be duplicated across two methods.</p>

      *

      * @param username The username to retrieve

      * @param authentication The authentication request, which subclasses <em>may</em> need to perform a binding-based

      *        retrieval of the <code>UserDetails</code>

      *

      * @return the user information (never <code>null</code> - instead an exception should the thrown)

      *

      * @throws AuthenticationException if the credentials could not be validated (generally a

      *         <code>BadCredentialsException</code>, an <code>AuthenticationServiceException</code> or

      *         <code>UsernameNotFoundException</code>)

      */

     protected abstract UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)

         throws AuthenticationException;

     public void setForcePrincipalAsString(boolean forcePrincipalAsString) {

         this.forcePrincipalAsString = forcePrincipalAsString;

     }

     /**

      * By default the <code>AbstractUserDetailsAuthenticationProvider</code> throws a

      * <code>BadCredentialsException</code> if a username is not found or the password is incorrect. Setting this

      * property to <code>false</code> will cause <code>UsernameNotFoundException</code>s to be thrown instead for the

      * former. Note this is considered less secure than throwing <code>BadCredentialsException</code> for both

      * exceptions.

      *

      * @param hideUserNotFoundExceptions set to <code>false</code> if you wish <code>UsernameNotFoundException</code>s

      *        to be thrown instead of the non-specific <code>BadCredentialsException</code> (defaults to

      *        <code>true</code>)

      */

     public void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions) {

         this.hideUserNotFoundExceptions = hideUserNotFoundExceptions;

     }

     public void setMessageSource(MessageSource messageSource) {

         this.messages = new MessageSourceAccessor(messageSource);

     }

     public void setUserCache(UserCache userCache) {

         this.userCache = userCache;

     }

     protected UserDetailsChecker getPreAuthenticationChecks() {

         return preAuthenticationChecks;

     }

     /**

      * Sets the policy will be used to verify the status of the loaded <tt>UserDetails</tt> <em>before</em>

      * validation of the credentials takes place.

      *

      * @param preAuthenticationChecks strategy to be invoked prior to authentication. 

      */

     public void setPreAuthenticationChecks(UserDetailsChecker preAuthenticationChecks) {

         this.preAuthenticationChecks = preAuthenticationChecks;

     }

     protected UserDetailsChecker getPostAuthenticationChecks() {

         return postAuthenticationChecks;

     }

     public void setPostAuthenticationChecks(UserDetailsChecker postAuthenticationChecks) {

         this.postAuthenticationChecks = postAuthenticationChecks;

     }    

     public boolean supports(Class authentication) {

         return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));

     }

     private class DefaultPreAuthenticationChecks implements UserDetailsChecker {

         public void check(UserDetails user) {

             if (!user.isAccountNonLocked()) {

                 throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked",

                         "User account is locked"), user);

             }

             if (!user.isEnabled()) {

                 throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",

                         "User is disabled"), user);

             }

             if (!user.isAccountNonExpired()) {

                 throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired",

                         "User account has expired"), user);

             }

         }

     }

     private class DefaultPostAuthenticationChecks implements UserDetailsChecker {

         public void check(UserDetails user) {

             if (!user.isCredentialsNonExpired()) {

                 throw new CredentialsExpiredException(messages.getMessage(

                         "AbstractUserDetailsAuthenticationProvider.credentialsExpired",

                         "User credentials have expired"), user);

             }

         }

     }

 }